Accepting request 911127 from home:fusionfuture:branches:devel:languages:python:Factory

- Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch which fixes http client infinite line reading (DoS) after a http 100 (bpo#44022, boo#1189241). OBS-URL: https://build.opensuse.org/request/show/911127 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=296
2021-08-10 04:45:07 +00:00 · 2021-08-10 04:45:07 +00:00 · 3cfc9f2646
commit 3cfc9f2646
parent 767f0ce31a
7 changed files with 51 additions and 0 deletions
--- a/bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
+++ b/bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
@ -0,0 +1,21 @@
+--- a/Lib/httplib.py
+++ b/Lib/httplib.py
+@@ -449,6 +449,7 @@ class HTTPResponse:
+             if status != CONTINUE:
+                 break
+             # skip the header from the 100 response
+            header_count = 0
+             while True:
+                 skip = self.fp.readline(_MAXLINE + 1)
+                 if len(skip) > _MAXLINE:
+@@ -458,6 +459,10 @@ class HTTPResponse:
+                     break
+                 if self.debuglevel > 0:
+                     print "header:", skip
+                # bpo-44022: Fix http client infinite line reading (DoS) after a http 100
+                header_count += 1
+                if header_count > _MAXHEADERS:
+                    raise HTTPException("got more than %d headers" % _MAXHEADERS)
+ 
+         self.status = status
+         self.reason = reason.strip()
--- a/python-base.changes
+++ b/python-base.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Aug  9 15:16:15 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
+
+- Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
+  which fixes http client infinite line reading (DoS) after a http 
+  100 (bpo#44022, boo#1189241).
+
 -------------------------------------------------------------------
 Fri Feb 26 18:21:55 UTC 2021 - Matej Cepl <mcepl@suse.com>

--- a/python-base.spec
+++ b/python-base.spec
@ -103,6 +103,8 @@ Patch61:        CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch
 # PATCH-FIX-UPSTREAM CVE-2021-23336-only-amp-as-query-sep.patch bsc#[0-9]+ mcepl@suse.com
 # this patch makes things totally awesome
 Patch62:        CVE-2021-23336-only-amp-as-query-sep.patch
+# PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916
+Patch63:        bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@ -230,6 +232,7 @@ other applications.
 %patch60 -p1
 %patch61 -p1
 %patch62 -p1
+%patch63 -p1

 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
--- a/python-doc.changes
+++ b/python-doc.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Aug  9 15:16:15 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
+
+- Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
+  which fixes http client infinite line reading (DoS) after a http 
+  100 (bpo#44022, boo#1189241).
+
 -------------------------------------------------------------------
 Fri Feb 26 18:21:55 UTC 2021 - Matej Cepl <mcepl@suse.com>

--- a/python-doc.spec
+++ b/python-doc.spec
@ -105,6 +105,8 @@ Patch61:        CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch
 # PATCH-FIX-UPSTREAM CVE-2021-23336-only-amp-as-query-sep.patch bsc#[0-9]+ mcepl@suse.com
 # this patch makes things totally awesome
 Patch62:        CVE-2021-23336-only-amp-as-query-sep.patch
+# PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916
+Patch63:        bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc
 Provides:       pyth_ps
@ -174,6 +176,7 @@ Python, and Macintosh Module Reference in PDF format.
 %patch60 -p1
 %patch61 -p1
 %patch62 -p1
+%patch63 -p1

 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
--- a/python.changes
+++ b/python.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Aug  9 15:16:15 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
+
+- Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
+  which fixes http client infinite line reading (DoS) after a http 
+  100 (bpo#44022, boo#1189241).
+
 -------------------------------------------------------------------
 Fri Feb 26 18:21:55 UTC 2021 - Matej Cepl <mcepl@suse.com>

--- a/python.spec
+++ b/python.spec
@ -105,6 +105,8 @@ Patch61:        CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch
 # PATCH-FIX-UPSTREAM CVE-2021-23336-only-amp-as-query-sep.patch bsc#[0-9]+ mcepl@suse.com
 # this patch makes things totally awesome
 Patch62:        CVE-2021-23336-only-amp-as-query-sep.patch
+# PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916
+Patch63:        bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@ -288,6 +290,7 @@ that rely on earlier non-verification behavior.
 %patch60 -p1
 %patch61 -p1
 %patch62 -p1
+%patch63 -p1

 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac